Create your own firewall with iptables using this simple script

BrodyDalle

3 minutes

I spent some time thinking about two things about this iptables: most of those who look for these tutorials are beginners and secondly, many are already looking for something fairly simple and already elaborated.

This example is for a web server, but you can easily add more rules and adapt it to your needs.

When you see "x" change for your ip's


#!/bin/bash

#We clean iptables tables -F iptables -X # We clean NAT iptables -t nat -F iptables -t nat -X # mangle table for things like PPPoE, PPP, and ATM iptables -t mangle -F iptables -t mangle -X # Policies I think this is the best way for beginners and # still not bad, I'll explain output all because they are outgoing connections #, input we discard everything, and no server should forward. iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Keep state. Everything that is already connected (established) is left like this: iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT # Loop device. iptables -A INPUT -i lo -j ACCEPT # http, https, we do not specify the interface because # we want it to be for all iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp - dport 443 -j ACCEPT # ssh only internally and from this range of ip's iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT # monitoring for example if they have zabbix or some other snmp service iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 10050 -j ACCEPT # icmp, ping well it's up to you iptables -A INPUT -p icmp -s 192.168.xx / 24 - i $ intranet -j ACCEPT #mysql with postgres is port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT #sendmail bueeeh if you want to send some mail #iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - the real wan ip of your server LAN_RANGE = "192.168.xx / 21" # LAN range of your network or your vlan # Ip's that should never enter the extranet,is to use a bit of # logic if we have a purely WAN interface it should never enter # LAN type traffic through that interface SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0 / 16 "# Default action - to be performed when any rule matches ACTION =" DROP "# Packets with the same ip of my server through the wan iptables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION # iptables -A OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION # Packets with the LAN Range for the wan, I put it like this in case you have # any particular network, but this is redundant with the following # rule inside the loop " for "iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION ## All SPOOF Networks not allowed by the wan for ip in $ SPOOF_IPS do iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION done

As always I await your comments, stay tuned in this blog, Thank you


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   HO2Gi said
    ago 8 years

    It helps me to continue learning a little more thanks copied.

    Reply to HO2Gi
    1.    brodydalle said
      ago 8 years

      you're welcome, glad to be of help

      Reply to BrodyDalle
  2.   Javier said
    ago 8 years

    I'm really sorry, but I have two questions (and one as a gift 😉):

    Would you arrive with this configuration to have Apache running and close the rest except SSH?

    #We clean tables
    iptables-F
    iptables-X

    We clean NAT

    iptables -t nat -F
    iptables -t nat -X

    iptables -A INPUT -p tcp –dport 80 -j ACCEPT

    ssh only internally and from this range of ip's

    iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet –dport 7659 -j ACCEPT

    Second question: Is 7659 the port used in SSH in this example?

    And third and last: in which file should this configuration be saved?

    Thank you very much for the tutorial, it is a shame that you are such a newbie and cannot take advantage of it well.

    Reply to Javier
    1.    brodydalle said
      ago 8 years

      this is the rule you need for http from apache
      iptables -A INPUT -p tcp –dport 80 -j ACCEPT

      but you also need to declare the default drop policies (it's in the script)
      iptables -P INPUT DROP
      iptables -P OUTPUT ACCEPT
      iptables -P FORWARD DROP

      and this because if you are remote, it will throw you away.
      iptables -A INPUT -m state –state ESTABLISHED, RELATED -j ACCEPT

      if 7659 is the port of that ssh in the example, by default it is 22, although I recommend you change to a port "not well known"
      man I don't know, as you want ... firewall.sh and you put it in rc.local (sh firewall.sh) so that it runs automatically, it depends on what operating system you have, there are files where you can put the rules directly.

      Reply to BrodyDalle
  3.   jge said
    ago 8 years

    Eii very good bro your script, analyzing it…. Do you know how I could deny all the requests of my users to a specific website?…. but this website has a lot of servers….

    Reply to Jge
    1.    brodydalle said
      ago 8 years

      I recommend other options:
      1) You can create a fake zone in your dns ...
      2) You can place a proxy with acl
      but nevertheless
      For iptables you can like this ... it is not always the best option (there are more ways)
      iptables -A INPUT -s blog.desdelinux.ne -j DROP
      iptables -A OUTPUT -d blog.desdelinux.net -j DROP

      Tell me if it worked

      Reply to BrodyDalle
  4.   Javier said
    ago 8 years

    Thanks for the answer, everything cleared up. I was asking about the port because I was surprised to use the 7659, since the private ports start at 49152, and it could interfere with some service or something.
    Again, thanks for everything, that's nice!

    Greetings.

    Reply to Javier
  5.   sic said
    ago 8 years

    BrodyDalle, how can I get in touch with you? Very interesting your script.

    Reply to sic
    1.    brodydalle said
      ago 8 years

      soulofmarionet_1@hotmail.com

      Reply to BrodyDalle
  6.   Carlos said
    ago 8 years

    The before last line "iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION" is there to prevent your own machine from spoofing? Or is it possible that some poisoned packet enters and can leave with that poisoned source and that is why the rule is also included with OUTPUT?
    Thank you very much for the clarification!!!

    Reply to Carlos
  7.   fran said
    ago 4 years

    this is my own iptables script, it is very complete:

    # franes.iptables.airy
    # doc.iptables.airoso: iptables for legacy and for nft
    #
    # firewall ports
    ##############################
    #! / Bin / bash
    #
    # clear the screen
    ############################### start of /etc/f-iptables/default.cfg |||||
    clear
    # leave a line blank
    threw out
    export yes = »» no = »echo off»
    # the variables you can change to allow access
    ###################### variables to modify with $ yes or $ no
    export hayexcepciones = »$ no»
    # there are exceptions: $ yes to allow exceptional hosts and $ no to disable
    export hayping = »$ no»
    # hayping: $ yes to allow pings to third parties and $ no to deny
    export haylogserver = »$ no»
    # haylogeosserver: $ yes to be able to log tcp $ no to not be able to log tcp
    # # # # # #
    ###################### variables to modify adding «,» or with ranges of «:»
    export exceptions = »baldras.wesnoth.org»
    # exceptions allow single or multiple hosts from firewall or no value
    export logserver = discard, ipp, dict, ssh
    # tcp server ports that are logged when packets come in
    export redserver = 0/0
    # redserver: the network for server ports preferable local network or several ips
    export client red = 0/0
    #clientnet: the network for client ports preferable to all networks
    export servidortcp = discard, ipp, dict, 6771
    # servidortcp: the specified tcp server ports
    export serverudp = discard
    #udpserver: the specified udp server ports
    export clientudp = domain, bootpc, bootps, ntp, 20000: 45000
    #udp client: the specified udp client ports
    export clienttcp = domain, http, https, ipp, git, dict, 14999: 15002
    # tcp client: the specified tcp client ports
    ############################## end of /etc/f-iptables/default.cfg |||||
    ############################### end of variables to modify
    export firewall = $ 1 variables = $ 2
    if ["$ variables" = "$ NULL"]; then source /etc/f-iptables/default.cfg;
    else source / etc / f-iptables / $ 2; fi
    ############################### or will overwrite the variables with a .cfg file
    ################################################## ##########################################
    export firewall = $ 1 export variables = $ 2
    ########################################## automatic system variables
    if ["$ firewall" = "disconnected"]; then echo FIREWALL DISCONNECTED;
    export activateserver = »$ no» activateclient = »$ no» wet = »$ no»;
    elif ["$ firewall" = "client"]; then echo FIREWALL CLIENT;
    export activateserver = »$ no» activateclient = »» wet = »$ no»;
    elif ["$ firewall" = "server"]; then echo FIREWALL SERVER;
    export activateserver = »» activateclient = »$ no» wet = »$ no»;
    elif ["$ firewall" = "client and server"]; then echo FIREWALL CLIENT AND SERVER;
    export activate server = »»; export activateclient = »»; export wet = »$ no»;
    elif ["$ firewall" = "permissive"]; then echo PERMISSIVE FIREWALL;
    export activateserver = »$ no» activateclient = »$ no» wet = »»;
    else
    $ check sudo echo iptables-legacy:
    $ check sudo iptables-legacy -v -L INPUT
    $ check sudo iptables-legacy -v -L OUTPUT
    $ check sudo echo iptables-nft:
    $ check sudo iptables-nft -v -L INPUT
    $ check sudo iptables-nft -v -L OUTPUT
    echo _____parameters____ $ 0 $ 1 $ 2
    echo "cast without parameters is to list iptables."
    echo "The first parameter (enable iptables): disconnected or client or server or client and server or permissive."
    echo "The second parameter: (optional): the default.cfg file chooses /etc/f-iptables/default.cfg"
    echo "Variable settings:" $ (ls / etc / f-iptables /)
    exit 0; fi
    ################
    threw out
    echo Throws $ 0 disconnected or client or server or client and server or permissive or variables or without using parameter to list iptables.
    echo The $ 0 file contains some editable variables inside.
    ################################ the above variables activated
    ################################
    echo setting the iptables variables
    echo activated variables
    threw out
    ############################ the iptables rules
    echo Setting iptables-legacy
    sudo / usr / sbin / iptables-legacy -t filter -F
    sudo / usr / sbin / iptables-legacy -t nat -F
    sudo / usr / sbin / iptables-legacy -t mangle -F
    sudo / usr / sbin / ip6tables-legacy -t filter -F
    sudo / usr / sbin / ip6tables-legacy -t nat -F
    sudo / usr / sbin / ip6tables-legacy -t mangle -F
    sudo / usr / sbin / ip6tables-legacy -A INPUT -j DROP
    sudo / usr / sbin / ip6tables-legacy -A OUTPUT -j DROP
    sudo / usr / sbin / ip6tables-legacy -A FORWARD -j DROP
    sudo / usr / sbin / iptables-legacy -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ haylogserver sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –dports $ logserver -j LOG> / dev / null
    $ there are exceptions sudo / usr / sbin / iptables-legacy -A INPUT -s $ exceptions -j ACCEPT> / dev / null
    $ activate server sudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport –dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activate server sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport –sports $ clientudp -m state –state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –sports $ clienttcp -m state –state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-legacy -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-legacy -A INPUT -j DROP> / dev / null
    sudo / usr / sbin / iptables-legacy -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ hayeexceptions sudo / usr / sbin / iptables-legacy -A OUTPUT -d $ exceptions -j ACCEPT> / dev / null
    $ activate server sudo / usr / sbin / iptables-legacy -A OUTPUT -p udp -m multiport –sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activate server sudo / usr / sbin / iptables-legacy -A OUTPUT -p tcp -m multiport –sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ enable client sudo / usr / sbin / iptables-legacy -A OUTPUT -p udp -m multiport –dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-legacy -A OUTPUT -p tcp -m multiport –dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-legacy -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-legacy -A OUTPUT -j DROP
    sudo / usr / sbin / iptables-legacy -A FORWARD -j DROP
    echo iptables-legacy enabled
    threw out
    echo Setting iptables-nft
    sudo / usr / sbin / iptables-nft -t filter -F
    sudo / usr / sbin / iptables-nft -t nat -F
    sudo / usr / sbin / iptables-nft -t mangle -F
    sudo / usr / sbin / ip6tables-nft -t filter -F
    sudo / usr / sbin / ip6tables-nft -t nat -F
    sudo / usr / sbin / ip6tables-nft -t mangle -F
    sudo / usr / sbin / ip6tables-nft -A INPUT -j DROP
    sudo / usr / sbin / ip6tables-nft -A OUTPUT -j DROP
    sudo / usr / sbin / ip6tables-nft -A FORWARD -j DROP
    sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ haylogserver sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –dports $ logserver -j LOG> / dev / null
    $ hayeexceptions sudo / usr / sbin / iptables-nft -A INPUT -s $ exceptions -j ACCEPT> / dev / null
    $ activate server sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport –dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activate server sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport –sports $ clientudp -m state –state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –sports $ clienttcp -m state –state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-nft -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
    sudo / usr / sbin / iptables-nft -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ there are exceptions sudo / usr / sbin / iptables-nft -A OUTPUT -d $ exceptions -j ACCEPT> / dev / null
    $ activate sudo server / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport –sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activate server sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport –sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport –dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport –dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-nft -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-nft -A OUTPUT -j DROP
    sudo / usr / sbin / iptables-nft -A FORWARD -j DROP
    echo iptables-nft enabled
    threw out
    $ wet sudo / usr / sbin / iptables-legacy -F> / dev / null
    $ wet sudo / usr / sbin / iptables-legacy -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-legacy -A INPUT -m state –state established -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-legacy -A INPUT -j DROP> / dev / null
    $ wet sudo / usr / sbin / iptables-legacy -A OUTPUT -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-legacy -A FORWARD -j DROP> / dev / null
    $ wet sudo / usr / sbin / iptables-nft -F> / dev / null
    $ wet sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-nft -A INPUT -m state –state established -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
    $ wet sudo / usr / sbin / iptables-nft -A OUTPUT -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-nft -A FORWARD -j DROP> / dev / null
    #############################
    echo you have thrown $ 0 $ 1 $ 2
    # exits the script
    exit 0

    Reply to fran
  8.   louis duran said
    ago 3 years

    How would I set a rule if this firewall used it for my gateway and had a squid within the LAN ???

    Reply to Luis Duran